CVE-2025-7401

CRITICAL

WordPress Premium Age Verification <3.0.2 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-7401. PoCs published by Nxploited, Boshe99.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-7401, targeting the 'Premium Age Verification / Restriction for WordPress' plugin. The exploit leverages an unauthenticated arbitrary file write vulnerability in `remote_tunnel.php` to upload a PHP shell, enabling remote code execution.

Description

The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible.

Exploits (2)

github WORKING POC 2 stars

by Nxploited · pythonpoc

https://github.com/Nxploited/CVE-2025-7401

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-7401, targeting the 'Premium Age Verification / Restriction for WordPress' plugin. The exploit leverages an unauthenticated arbitrary file write vulnerability in `remote_tunnel.php` to upload a PHP shell, enabling remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Premium Age Verification / Restriction for WordPress <= 3.0.2

No auth needed

Prerequisites: Target must have the vulnerable plugin installed and accessible · Network access to the target WordPress site

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-7401

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2025-7401, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the exploit by uploading a malicious file to a vulnerable endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin 3DPrint Lite 1.9.1.4

No auth needed

Prerequisites: Vulnerable WordPress plugin installed · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://codecanyon.net/item/premium-age-verification-restriction-for-wordpress/11300327

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/e0906a45-6d9b-48a0-98ae-df7b591a8848?source=cve

Scores

CVSS v3 9.8

EPSS 0.0055

EPSS Percentile 41.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-798

Status published

Products (1)

aa-team/Premium Age Verification / Restriction for WordPress < 3.0.2

Published Jul 11, 2025

Tracked Since Feb 18, 2026